RepoMirrors/selinux
1
0
Fork 0
mirror of https://github.com/SELinuxProject/selinux synced 2025-01-29 00:32:46 +00:00
Code Issues Packages Projects Releases Wiki Activity

libsepol: do not wrap integers when checking bound

Browse Source 
Some invalid policies might have p->p_types.nprim = 0. When parsing
such a policy, "i > p->p_types.nprim - 1" is always false even though
reading p->type_val_to_struct[i] triggers a segmentation fault.

Make type_set_expand() return an error when parsing such a policy by
handling correctly when p->p_types.nprim is zero.

This issue has been found while fuzzing semodule_package with the
American Fuzzy Lop.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This commit is contained in:
Nicolas Iooss 2017-04-07 22:44:31 +02:00 committed by Stephen Smalley
parent 42e32227da
commit 3e7fd1daba
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
libsepol/src/expand.c
View File

@ -2527,7 +2527,7 @@ int type_set_expand(type_set_t * set, ebitmap_t * t, policydb_t * p,
* invalid policies might have more types set in the ebitmap than
* what's available in the type_val_to_struct mapping
*/
if (i > p->p_types.nprim - 1)
if (i >= p->p_types.nprim)
goto err_types;
if (!p->type_val_to_struct[i]) {